Friday, November 20, 2009

Certificate procedure – Step 2: Creating a certificate

Now that our request is created and since we’ll be creating the certificate ourselves, let’s just get it over with … :)

1. Copy the text file to your CA, go to the CA website: http://localhost/certsrv and select Request a Certificate

2. Select Advanced Certificate Request

3. Here, choose the second option (I’m not gonna write that whole thing out :))

4. Now we can copy the text from our request file and paste it here.

5. You will see that your certificate is pending after having clicked Submit

And that’s it, nothing more to this simple step. Next we’ll be issuing our pending request.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Posted by at No comments:

Certificate procedure - Step 1: Creating a certificate request

In my previous post (see link below), I talked about the various steps you need to perform to create a certificate to secure your data transmission, both self-signed and officially signed.

As promised, the following posts provide a step-by-step overview of the complete procedure. Thanks to Bram Poelaert for his input!

The first step is creating the certificate request:
1. Open the IIS Manager, right click the Default Web Site and select Properties

2. On the tab Directory Security, select Server Certificate

3. In the wizard, click Next on the Welcome screen
4. Since we are creating a new certificate, select Create a new certificate

5. We are creating the request now and processing it later, so choose Prepate the request now, but send it later

6. Give the request a name, this can be anything, just make it clear what it is

7. Provide the name and OU

8. This is the most important part of your certificate: the common name. This needs to be the fully qualified domain name to which the users will be connecting.

9. Next, choose your Country, State and City

10. Save the request file to a location
11. Verify the settings you have chosen in the overview before completing the wizard.

The result will be a TXT file. In the text file you will see -----BEGIN NEW CERTIFICATE REQUEST----- & -----END NEW CERTIFICATE REQUEST-----

This is the result that can be forward to an official Certification Authority, but for testing purposes we’ll be issuing the certificate ourselves.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location
Posted by at No comments:

Thursday, November 19, 2009

Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006

Last week, a colleague and I have configured an Exchange 2003 SP2 for push mail. Since it was a joint effort, I want to thank Bram Poelaert for his help and expertise. All information in these posts are therefore the result of our teamwork.

First a small overview. We were installing and configuring an ISA 2006 server with 1 network adapter to publish the OMA and OWA functionalities to the external world for push mail functionalities. In the backend, an Exchange 2003 SP2 is serving as the mail server. We’ll be offloading the SSL on the ISA 2006 server. To complete the picture, a CheckPoint firewall is placing the ISA in the DMZ by using the three zones: untrusted, DMZ & trusted.

As always, the most difficult (and critical) part of the installation isn’t the configuration of Exchange or even ISA 2006, but the installation of the necessary certificate. This is what this post will be about.

Having an official authority create a certificate for you costs quite a bit money, so you don’t want to have to do it twice. For that reason, it’s always best to test your procedures by creating a certificate yourself and make sure your certificate request is correct.

To create and install a certificate yourself, these steps have to be completed:
1. Create a certificate request via IIS web wizard
2. Process the request via your Certification Authority (CA)
3. Issue the pending certificate in CA
4. Assign the certificate to your website in IIS
5. Export the private key and store in a safe location

Make sure that when you connect to your secure website that no error messages are displayed. Most frequent mistakes are the common names that are not the same as the URL or the certificate chain that is broken somewhere.

Also, be careful with the private key. This key is residing on the computer that created the certificate request. Do NOT import the certificate again (via MMC for example) before having the private key exported. If you do, the private key will be gone and you can not use the certificate!

OK, you’ve tested your certificate and it works as you expected. Cool! Now delete everything and start over by creating a new certificate request that you can send to the third party for the creation of your certificate.
1. Create a certificate request via IIS web wizard
2. Send the certificate request (TXT file) to the CA
3. Import the certificate received in IIS web wizard
4. Export the private key and store in a safe location
5. Install the certificate and the private key on the ISA 2006 server
6. Use the certificate to secure the data

In my next post I’ll go over the process step-by-step for an easy manual.
I hope this can already put you well underway.

Post series:
1. Certificate procedure for Push Mail with Exchange 2003 SP2 and ISA 2006
2. Certificate procedure - Step 1: Creating a certificate request
3. Certificate procedure – Step 2: Request a certificate
4. Certificate procedure – Step 3: Issuing the certificate
5. Certificate procedure – Step 4: Assign the certificate to your website in IIS
6. Certificate procedure – Step 5: Export the private key and store in a safe location

Enjoy!
Posted by at No comments:

Friday, November 06, 2009

Manually upgrading the vpxa agent of an ESX server

During my ESX 2.5 Upgrade project I ran into some VM migration problems.
As soon as the vmdk was too big to be able to complete the migration in 25 minutes, the operation would fail.

A cause could have been that the version of the vpxa agent on the ESX 2.5 agent was of a different build than the vpxa agent on the ESX 3.5 destination host. So I needed to manually upgrade the vpxa agent of the ESX 2.5 host.

As you can figure, documentation on how to do this isn’t very widely spread, so I decided to write a short blog post on it:
1.Log into the VC server locally and browse to the “Upgrade” folder. Default: C:\Program Files\VMware\Infrastructure\VirtualCenter Server\Upgrade
2.Browse to the correct vpx upgrade file for your ESX server version you need to upgrade the vpxa agent on.
My ESX 2.5 was version 2.5.2 so I needed vpx-upgrade-esx-4-linux-*. I found this info in the bundleversion.xml file

3.Copy this file to the ESX host you need to upgrade the vpxa agent on via a winSCP or PenguiNet or something like it.
4.Log into the ESX as root and browse to the folder where you have copied to upgrade file
5.Run the command: service vmware-vpxa restart
This will stop and start the agent and automatically upgrade it’s version. This shouldn’t take more than 5 – 10 seconds.
6.Now log back into the VirtualCenter server locally and restart the services:
a. VMware License Server
b. VMware VirtualCenter Server

OK, that’s it. Your vpxa agent is now upgrade to the version and build you have selected. It could be that in VC itself you will have to disconnect the ESX host and then connect it again.
Posted by at No comments:

Thursday, November 05, 2009

ESX command line commands

I am currently busy with designing a migration strategy for a large ESX 2.5.2 migration to ESX 3.5 for one of our customers. (yeah I know, a little late ... but at least they will migrate immediately on the vShpere4 :))

While doing my tests and type the commands mostly only once and from then on use the arrow keys to go up to previous commands. You know how it goes: as lazy as you can get it ... :)

Anyways, I decided I would post most of these commands here. Not just for you guys, but admittingly also for myself as I regularly find myself looking through my memory for correct syntaxes ... :)

List files:
vmware-cmd –l
List path and names of .registered VM vmx files on the present host

Get state vm
vmware-cmd /vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx getstate
Retrieve power state of the VM: off, on, suspended, stuck

Reboot vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx reset trysoft/hard
Reboot the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown before reboot (hard).

Power on vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx start
Power on the VM

Shutdown vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx stop trysoft/hard
Shutdown/halt the VM. First try a nice shutdown (trysoft), then if necessary force a shutdown (hard).

Suspend vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx suspend
Suspend the VM

Verify snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx hassnapshot
Query if VM has a snapshot

Create snapshot
vmware-cmd createsnapshot name description quiesce memory
Quiesce will quiesce file system writes, while Memory will grab the memory state

Revert to snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx revertsnapshot
Revert to previous created snapshot (you loose the current VM state!)

Remove snapshot
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx removesnapshots
Remove previous created snapshots (you keep the current VM state!)

Register vm
vmware-cmd -s register vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Register VM (add to inventory)

Unregister vm
vmware-cmd -s unregister vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx
Unregister VM (remove to inventory)

Answer vm
vmware-cmd vmfs/volume/'vmfslabel'/'VMName'/'VMName'.vmx answer
answer pending request for userinput

Extend virtual Disk
vmkfstools -X 12G ./testing.vmdk
To extend an existing Virtual Disk to 12GB.
Be aware if the shrinked size is smaller as the partition size in the guest there might be a data losse or a corrupted system resulting!

Copy virtual disk
vmkfstools -i /vmfs/volumes/'vmfslabel'/'VMName'/'VMName'.vmdk /vmfs/volumes//'VMName'.vmdk
Copy vmdk from one vmfs to another datastore

Export virtual disk
vmkfstools -i /vmfs/'VMName'/'VMName'.vmdk -d 2gbsparse //'VMName'.vmdk
Export vmdk to ext3 partition

Rename files
vmkfstools -E
Rename files associated with a specified virtual disk

Delete Virtualdisk
vmkfstools -U
Delete files associated with the specified virtual disk

Delete folders
rm –R –f /vmfs/volumes//VM folder>
Delete non-empty folders

Find functionality
| grep –i “
Example: vi *440*.vmx | grep –I “version”
Find a word with a file. In this example “version”

There are of course a whole lot more vmkfstools and vmware-cmd commands, but I think this gives a good start ...

Enjoy!
Posted by at 1 comment:
Subscribe to: Posts (Atom)